var capDesc = {
  SETPCAP: 'Modify process capabilities.',
  MKNOD: 'Create special files using mknod(2).',
  AUDIT_WRITE: 'Write records to kernel auditing log.',
  CHOWN: 'Make arbitrary changes to file UIDs and GIDs (see chown(2)).',
  NET_RAW: 'Use RAW and PACKET sockets.',
  DAC_OVERRIDE: 'Bypass file read, write, and execute permission checks.',
  FOWNER: 'Bypass permission checks on operations that normally require the file system UID of the process to match the UID of the file.',
  FSETID: 'Don’t clear set-user-ID and set-group-ID permission bits when a file is modified.',
  KILL: 'Bypass permission checks for sending signals.',
  SETGID: 'Make arbitrary manipulations of process GIDs and supplementary GID list.',
  SETUID: 'Make arbitrary manipulations of process UIDs.',
  NET_BIND_SERVICE: 'Bind a socket to internet domain privileged ports (port numbers less than 1024).',
  SYS_CHROOT: 'Use chroot(2), change root directory.',
  SETFCAP: 'Set file capabilities.',
  SYS_MODULE: 'Load and unload kernel modules.',
  SYS_RAWIO: 'Perform I/O port operations (iopl(2) and ioperm(2)).',
  SYS_PACCT: 'Use acct(2), switch process accounting on or off.',
  SYS_ADMIN: 'Perform a range of system administration operations.',
  SYS_NICE: 'Raise process nice value (nice(2), setpriority(2)) and change the nice value for arbitrary processes.',
  SYS_RESOURCE: 'Override resource Limits.',
  SYS_TIME: 'Set system clock (settimeofday(2), stime(2), adjtimex(2)); set real-time (hardware) clock.',
  SYS_TTY_CONFIG: 'Use vhangup(2); employ various privileged ioctl(2) operations on virtual terminals.',
  AUDIT_CONTROL: 'Enable and disable kernel auditing; change auditing filter rules; retrieve auditing status and filtering rules.',
  MAC_ADMIN: 'Allow MAC configuration or state changes. Implemented for the Smack LSM.',
  MAC_OVERRIDE: 'Override Mandatory Access Control (MAC). Implemented for the Smack Linux Security Module (LSM).',
  NET_ADMIN: 'Perform various network-related operations.',
  SYSLOG: 'Perform privileged syslog(2) operations.',
  DAC_READ_SEARCH: 'Bypass file read permission checks and directory read and execute permission checks.',
  LINUX_IMMUTABLE: 'Set the FS_APPEND_FL and FS_IMMUTABLE_FL i-node flags.',
  NET_BROADCAST: 'Make socket broadcasts, and listen to multicasts.',
  IPC_LOCK: 'Lock memory (mlock(2), mlockall(2), mmap(2), shmctl(2)).',
  IPC_OWNER: 'Bypass permission checks for operations on System V IPC objects.',
  SYS_PTRACE: 'Trace arbitrary processes using ptrace(2).',
  SYS_BOOT: 'Use reboot(2) and kexec_load(2), reboot and load a new kernel for later execution.',
  LEASE: 'Establish leases on arbitrary files (see fcntl(2)).',
  WAKE_ALARM: 'Trigger something that will wake up the system.',
  BLOCK_SUSPEND: 'Employ features that can block system suspend.',
};

export function ContainerCapabilities() {
  // all capabilities can be found at https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities
  return [
    new ContainerCapability('SETPCAP', true),
    new ContainerCapability('MKNOD', true),
    new ContainerCapability('AUDIT_WRITE', true),
    new ContainerCapability('CHOWN', true),
    new ContainerCapability('NET_RAW', true),
    new ContainerCapability('DAC_OVERRIDE', true),
    new ContainerCapability('FOWNER', true),
    new ContainerCapability('FSETID', true),
    new ContainerCapability('KILL', true),
    new ContainerCapability('SETGID', true),
    new ContainerCapability('SETUID', true),
    new ContainerCapability('NET_BIND_SERVICE', true),
    new ContainerCapability('SYS_CHROOT', true),
    new ContainerCapability('SETFCAP', true),
    new ContainerCapability('SYS_MODULE', false),
    new ContainerCapability('SYS_RAWIO', false),
    new ContainerCapability('SYS_PACCT', false),
    new ContainerCapability('SYS_ADMIN', false),
    new ContainerCapability('SYS_NICE', false),
    new ContainerCapability('SYS_RESOURCE', false),
    new ContainerCapability('SYS_TIME', false),
    new ContainerCapability('SYS_TTY_CONFIG', false),
    new ContainerCapability('AUDIT_CONTROL', false),
    new ContainerCapability('MAC_ADMIN', false),
    new ContainerCapability('MAC_OVERRIDE', false),
    new ContainerCapability('NET_ADMIN', false),
    new ContainerCapability('SYSLOG', false),
    new ContainerCapability('DAC_READ_SEARCH', false),
    new ContainerCapability('LINUX_IMMUTABLE', false),
    new ContainerCapability('NET_BROADCAST', false),
    new ContainerCapability('IPC_LOCK', false),
    new ContainerCapability('IPC_OWNER', false),
    new ContainerCapability('SYS_PTRACE', false),
    new ContainerCapability('SYS_BOOT', false),
    new ContainerCapability('LEASE', false),
    new ContainerCapability('WAKE_ALARM', false),
    new ContainerCapability('BLOCK_SUSPEND', false),
  ].sort(function (a, b) {
    return a.capability < b.capability ? -1 : 1;
  });
}

export function ContainerCapability(cap, allowed) {
  this.capability = cap;
  this.allowed = allowed;
  this.description = capDesc[cap];
}
